loca ng prefix hijackers using lock
play

Loca%ngPrefixHijackersusing LOCK TongqingQiu + ,LushengJi * - PowerPoint PPT Presentation

Loca%ngPrefixHijackersusing LOCK TongqingQiu + ,LushengJi * ,DanPei * JiaWang * ,Jun(Jim)Xu + ,HiteshBallani ++ + CollegeofCompu%ng,GeorgiaTech *


  1. Loca%ng
Prefix
Hijackers
using
 LOCK

 Tongqing
Qiu + ,
Lusheng
Ji * ,
Dan
Pei * 
 Jia
Wang * ,
Jun
(Jim)
Xu + ,
Hitesh
Ballani ++ 
 +
 
College
of
Compu%ng,
Georgia
Tech
 * 
AT&T
Lab
–
Research
 ++
 
Department
of
Computer
Science,
Cornell
University

 1


  2. Outline

 • Background
&
Mo%va%on
 • System
Architecture
 • Basic
algorithm
and
improvements
 • Evalua%on
 • Conclusion
 2


  3. Background
 AS
Path:
CBE
 CBE
or
CDE?
 • Autonomous
 AS
Path:
DE
 System
(AS)
 AS
C
 AS
D
 • Border
Gateway
 Protocol
(BGP)
 AS
Path:
BE
 AS
B

 AS
E
 • Profit‐driven
 I
own
prefix
p!
 policy
 AS
A
 Peer‐Peer
 AS
Path:
ABE
 Customer‐provider
 AS
update
message
 3


  4. Background
(cont.)
 AS
Path:
CBA
 AS
Path:
CBE
 • BGP
lacks
 AS
C
 AS
D
 authen%ca%on
 • Fabricated
AS
 announcement
 AS
B

 AS
Path:
BA
 AS
E
 p
 • Prefix
hijacking
 blackholing
 • AS
A
 Peer‐Peer
 imposture
 • Customer‐provider
 I
own
prefix
p!
 intercep%on
 • AS
update
message
 4
 4


  5. State
of
Art
 • Proac%ve

 – Prevent
the
happenings
of
hijacks
 • e.g.
[Kent
et
al.
JSAC
00]
[Aiello
 et
al. 
CCS
03],
[Subramanian
 et
al.
 NSDI
04],
[Karlin
 et
al. 
ICNP
06],
etc.

 – Deployment
issues:
 • Rou%ng
infrastructure
modifica%on
 • Difficul%es
of
incremental
deployment
 • PKI
requirement
 • Reac%ve

 – Detec%on

 • e.g.
[Lad
et
al.
Usenix
Secuirty
06],
[
Ballani
 et
al.
 Sigcomm
07],
[
Zheng
 et
 al. 
Sigcomm

07],
[Hu
 et
al.
 IEEE
S&P
07],
[
Zhang
 et
al.
 Sigcomm
 08 ],
etc.

 – Recovery
 • e.g.
[
Zhang
 et
al.
 CoNext
07]
 5


  6. A
Complete
and
Automated
Solu%on?
 Detect 

 Locate 

 Recover
 • Loca%ng
is
important
 – Provide
key
informa%on
for
recovery/mi%ga%on
 • Loca%ng
is
not
trivial

 CBA
 C
 D
 CBAE
 – Current
prac%ce
 • Inden%fy
newly
appeared

 BAE
 BA
 B
 E
 origin
AS
of
prefix

 p
 
p
 A
 announce
AE
 6


  7. System
Architecture
of
LOCK

 Input:
Target
prefix
p
 AS
C
 AS
D
 AS
B

 AS
E
 p
 AS
A
 Peer‐Peer
 Customer‐provider
 Output:
A
is
the
hijacker!
 7


  8. Key
Components
of
LOCK
 • Monitor
Selec%on
(from
candidates)
 – Maximize
the
likelihood
of
observing
hijacking
 events
on
the
target
prefix
 – Maximize
the
diversity
of
paths
from
monitors
to
 the
target
prefix
 • Loca%ng
Scheme
 – Using
AS
path
informa%on
 – Infer
the
hijacker
loca%on
(how?)
 8


  9. Two
key
observa%ons
 • Countermeasure
ability
 – The
hijacker
cannot
manipulate
the
por%on
of
AS
path
 from
a
polluted
vantage
point
to
the
upstream
neighbor
AS
 of
the
hijacker
AS
 H

 AH
 X

 AX
 M1
 A
 H

 X
 BH
 X

 H
 BX
 M2
 B
 Y
 Z
 T
 M3
 C
 D
 T
owns
prefix
p
 9


  10. Two
key
observa%ons
 • Convergence:
The
trustworthy
por%on
of

polluted
AS
paths
 from
mul%ple
vantage
points
to
a
hijacked
vic%m
AS
prefix
 converge
around
 the
hijacker
AS
(based
on
real
AS
topology).

 converge
at
H
 H

 AH
 M1
 A
 X

 AX
 converge
at
X?
 X
 H

 H
 BH
 X

 M2
 BX
 B
 Y
 Z
 T
 M3
 C
 D
 p
 10


  11. Basic
Loca%ng
Algorithm
 • Inden%fying
hijacker
search
space
 – Neighborset
of
one
AS :
ASes
one‐hop
away
(include
itself)

 – Based
on
exis%ng
AS
topology

 – The
union
of
 neighborset
 of
all
ASes
on
all
polluted
paths
(why?)
 – The
hijacker
should
be
in
the
space
(based
on
observa%on
1)
 • Ranking
all
ASes
in
the
search
space
 – Based
on
observa%on
2
 – The
more
frequently
an
AS
appears,
the
higher
its
ranking
is

 – Tie
breaker:
The
closer
an
AS
to
the
monitors,
the
higher
its
ranking
is

 11


  12. Basic
Loca%ng
Algorithm
Example
 X
 AX
 M1
 A
 X
 X

 H
 BX
 M2
 B
 Y
 Z
 T
 M3
 C
 D
 p
 Monitors
 Polluted
AS
PATH
 Neighbor
Set
 Hijacker
List
 M1
 A
X
 (A
H)
(
H
X
Y)
 H

>
(
4
%mes)

 X
>
Y
>
(2
%mes)
 M2
 B
X
 (B
H
C)
(H
X
Y)
 A
=
B
>
C
(once)
 12


  13. Improvements 

 • Search
space
of
basic
algorithm
 – Trim
the
suspect
list

 • Improvement
I:
AS
rela%onship

 – Basic
algorithm
neighborset

 – Valley
free
 – Trim
the
neighorset
on
“trustworthy”
ASes
 • Improvement
II:
excluding
“innocent”
ASes
 • Two
improvements
may
introduce
false
 nega%ve
 13


  14. Evalua%on 

 • Three
sets
of
experiments:
 – Simula%ng
synthe%c
prefix
hijacking
events
 – Reconstructed
previous
known
hijacking
events
 – Real
prefix
hijacking
events
 14


  15. Simula%ng
Synthe%c
Prefix
Hijacking
 Events
 • Hijacker
 h 
and
source
 s
 from
73
Planetlab
nodes


 – hup://www.planet‐lab.org/
 • 451
Target
prefix
 t
 – Mul%ple
Origin
ASes
(MOAS)
prefix
 – Single
Origin
Ases
with
large
traffic
 – Popular
website
(based
on
Alexa
ranking)
 • Emulate
all
possible
hijacking
events
 – Based
on
the
combina%on
of
( s,
h,
t )
 – Imposture,
intercep%on,
and
malicious
(countermeasure)
cases
 • Monitor
selec%on
 – From
Planetlab
nodes
 – Based
on
the
target
prefix
 15


  16. Effec%veness
and
Improvement
 • The
accuracy
of
basic
algorithm
is
85%+
 • Combine
both
improvements,
the
accuracy
is
 up
to
94.3%
 • False
nega%ve
ra%o
is
rela%vely
low.

 16


  17. Reconstruct
Previously‐known
 Hijacking
Events
 7
hijacking
events
 Locate
all
hijackers
 17


  18. Real
Hijacking
Events
 Internet
 Prefix:
204.9.168.0/22
 Cornell
 Seaule
 vic%m

 Berkeley
 Piusburgh
 hijacker
 18


  19. Real
Hijacking
Events
(cont.)
 19


  20. Conclusion
 • LOCK
to
locate
prefix
hijacker
ASes
 – First
study
of
hijacker
loca%on
problem
 – Locate
the
hijacker
even
when
countermeasures
 are
engaged

 – Extensively
evalua%on
illustrates
high
loca%on
 accuracy
 

 20


  21. Acknowledgement
 • Authors
Tongqing
Qiu
and
Jun
(Jim)
Xu
would
 like
to
acknowledge
the
generous
support
 from
the
NSF
CyberTrust
program
(specifically
 CNS
0716423)
 21


  22. • Thanks
You!
 • Ques%ons
 22


Recommend


More recommend